Popular Ransomware Adds Ability To Steal Victims' Passwords

Microsoft is warning that the Reveton Trojan, a nasty ransomware that locks users out of their computer until they pay the hackers to remove it, now has added the ability to scan and snag all your passwords.

According to Microsoft, this new trick was added so that even if an antivirus does its job and removes the Trojan without you falling to the extortion racket, the attackers' time and effort weren't wasted -- they at least have your passwords (and one that could be used to drain funds from you in a different way).

"Once an exploit kit installs Reveton on a system, the ransomware will start contacting its command and control (C&C) server," wrote Microsoft's Stefan Sellmer in a TechNet blog post. It downloads information about the system's external IP address, for example the Internet provider, city, and country.

While the Trojan goes to work shipping off your information, it's simultaneously installing and running the DLL that locks your screen until payment is received. And it's also running the password-stealing component that is hidden in memory.

The password grabber goes to work in the background, stealing personal information from file downloader lists, e-mail clients, chat logs, remote applications and even accesses where saved browser passwords are in protected storage.

Even from behind bars, the original creator's Trojan is finding new ways to terrorize infected victims thanks to additions like this and the fact that it's rolled up into popular exploit kits like Blacole and Cool Exploit Kit.

Microsoft points out that earlier this year, once a popular Java exploit was dropped into the kits that also included Reveton, more than 100,000 systems were being infected daily. Since then, the infection rate has dropped, but it's still able to snare thousands of new victims on a daily basis.

"Our advice is, before you become a victim of the Reveton infection, spend a few minutes to eliminate possible infection vectors by updating software components which are targeted by drive-by-downloads," said Sellmer. "You should install all the relevant Microsoft security updates and update browser plug-ins like Java and Flash Player."

And if you feel like you've been infected, the first point of action (before even trying to remove the Trojan) is to change all your passwords.